From be19120a4a220cbb7a8fac5c0c5d98c240246ff9 Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Tue, 22 Jun 2021 11:31:43 -0400 Subject: [PATCH] Add ssl support for zookeeper Change-Id: I891373b656e4f2ab59e1cdffaa122bc821c46bf1 Signed-off-by: Paul Belanger --- defaults/main.yaml | 21 +++++++++++ tasks/config.yaml | 30 +++++++++++++++ templates/etc/zuul/ssl/zookeeper-cacert.pem | 4 ++ templates/etc/zuul/ssl/zookeeper-client.key | 4 ++ templates/etc/zuul/ssl/zookeeper-client.pem | 4 ++ tests/playbooks/run.yaml | 42 +++++++++++++++++++++ 6 files changed, 105 insertions(+) create mode 100644 templates/etc/zuul/ssl/zookeeper-cacert.pem create mode 100644 templates/etc/zuul/ssl/zookeeper-client.key create mode 100644 templates/etc/zuul/ssl/zookeeper-client.pem diff --git a/defaults/main.yaml b/defaults/main.yaml index 68b1321..b1d868a 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -95,6 +95,27 @@ zuul_file_web_logging_conf_mode: 0644 zuul_file_web_logging_conf_owner: "{{ zuul_user_name }}" zuul_file_web_logging_conf_src: etc/zuul/web-logging.conf +zuul_file_zookeeper_tls_cacert_content: +zuul_file_zookeeper_tls_cacert_dest: /etc/zuul/ssl/zookeeper-cacert.pem +zuul_file_zookeeper_tls_cacert_group: "{{ zuul_user_group }}" +zuul_file_zookeeper_tls_cacert_mode: 0644 +zuul_file_zookeeper_tls_cacert_owner: "{{ zuul_user_name }}" +zuul_file_zookeeper_tls_cacert_src: etc/zuul/ssl/zookeeper-cacert.pem + +zuul_file_zookeeper_tls_cert_content: +zuul_file_zookeeper_tls_cert_dest: /etc/zuul/ssl/zookeeper-client.pem +zuul_file_zookeeper_tls_cert_group: "{{ zuul_user_group }}" +zuul_file_zookeeper_tls_cert_mode: 0644 +zuul_file_zookeeper_tls_cert_owner: "{{ zuul_user_name }}" +zuul_file_zookeeper_tls_cert_src: etc/zuul/ssl/zookeeper-client.pem + +zuul_file_zookeeper_tls_key_content: +zuul_file_zookeeper_tls_key_dest: /etc/zuul/ssl/zookeeper-client.key +zuul_file_zookeeper_tls_key_group: "{{ zuul_user_group }}" +zuul_file_zookeeper_tls_key_mode: 0600 +zuul_file_zookeeper_tls_key_owner: "{{ zuul_user_name }}" +zuul_file_zookeeper_tls_key_src: etc/zuul/ssl/zookeeper-client.key + zuul_file_zuul_conf_dest: /etc/zuul/zuul.conf zuul_file_zuul_conf_group: "{{ zuul_user_group }}" zuul_file_zuul_conf_mode: 0640 diff --git a/tasks/config.yaml b/tasks/config.yaml index d0e92e1..1b6cddf 100644 --- a/tasks/config.yaml +++ b/tasks/config.yaml @@ -144,3 +144,33 @@ owner: "{{ zuul_file_zuul_conf_owner }}" src: "{{ zuul_file_zuul_conf_src }}" register: zuul_file_zuul_conf + +- name: Install zookeeper tls cacert configuration + become: true + template: + dest: "{{ zuul_file_zookeeper_tls_cacert_dest }}" + group: "{{ zuul_file_zookeeper_tls_cacert_group }}" + mode: "{{ zuul_file_zookeeper_tls_cacert_mode }}" + owner: "{{ zuul_file_zookeeper_tls_cacert_owner }}" + src: "{{ zuul_file_zookeeper_tls_cacert_src }}" + register: zuul_file_zookeeper_tls_cacert + +- name: Install zuul zookeeper tls cert configuration + become: true + template: + dest: "{{ zuul_file_zookeeper_tls_cert_dest }}" + group: "{{ zuul_file_zookeeper_tls_cert_group }}" + mode: "{{ zuul_file_zookeeper_tls_cert_mode }}" + owner: "{{ zuul_file_zookeeper_tls_cert_owner }}" + src: "{{ zuul_file_zookeeper_tls_cert_src }}" + register: zuul_file_zookeeper_tls_cert + +- name: Install zookeeper tls key configuration + become: true + template: + dest: "{{ zuul_file_zookeeper_tls_key_dest }}" + group: "{{ zuul_file_zookeeper_tls_key_group }}" + mode: "{{ zuul_file_zookeeper_tls_key_mode }}" + owner: "{{ zuul_file_zookeeper_tls_key_owner }}" + src: "{{ zuul_file_zookeeper_tls_key_src }}" + register: zuul_file_zookeeper_tls_key diff --git a/templates/etc/zuul/ssl/zookeeper-cacert.pem b/templates/etc/zuul/ssl/zookeeper-cacert.pem new file mode 100644 index 0000000..38b31c4 --- /dev/null +++ b/templates/etc/zuul/ssl/zookeeper-cacert.pem @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zuul_file_zookeeper_tls_cacert_content }} diff --git a/templates/etc/zuul/ssl/zookeeper-client.key b/templates/etc/zuul/ssl/zookeeper-client.key new file mode 100644 index 0000000..01ec7e3 --- /dev/null +++ b/templates/etc/zuul/ssl/zookeeper-client.key @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zuul_file_zookeeper_tls_key_content }} diff --git a/templates/etc/zuul/ssl/zookeeper-client.pem b/templates/etc/zuul/ssl/zookeeper-client.pem new file mode 100644 index 0000000..d4be926 --- /dev/null +++ b/templates/etc/zuul/ssl/zookeeper-client.pem @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zuul_file_zookeeper_tls_cert_content }} diff --git a/tests/playbooks/run.yaml b/tests/playbooks/run.yaml index ad93c64..4d1f8b2 100644 --- a/tests/playbooks/run.yaml +++ b/tests/playbooks/run.yaml @@ -308,6 +308,48 @@ - _zuul_web_service_systemd_stat.stat.gr_name == 'root' - _zuul_web_service_systemd_stat.stat.mode == '0644' + - name: Register /etc/zuul/ssl/zookeeper-cacert.pem + stat: + path: /etc/zuul/ssl/zookeeper-cacert.pem + register: _zuul_file_zookeeper_tls_cacert_stat + + - name: Assert _zuul_file_zookeeper_tls_cacert_stat tests. + assert: + that: + - _zuul_file_zookeeper_tls_cacert_stat.stat.exists + - _zuul_file_zookeeper_tls_cacert_stat.stat.isreg + - _zuul_file_zookeeper_tls_cacert_stat.stat.pw_name == 'zuul-test' + - _zuul_file_zookeeper_tls_cacert_stat.stat.gr_name == 'zuul-test' + - _zuul_file_zookeeper_tls_cacert_stat.stat.mode == '0644' + + - name: Register /etc/zuul/ssl/zookeeper-client.pem + stat: + path: /etc/zuul/ssl/zookeeper-client.pem + register: _zuul_file_zookeeper_tls_cert_stat + + - name: Assert _zuul_file_zookeeper_tls_cert_stat tests. + assert: + that: + - _zuul_file_zookeeper_tls_cert_stat.stat.exists + - _zuul_file_zookeeper_tls_cert_stat.stat.isreg + - _zuul_file_zookeeper_tls_cert_stat.stat.pw_name == 'zuul-test' + - _zuul_file_zookeeper_tls_cert_stat.stat.gr_name == 'zuul-test' + - _zuul_file_zookeeper_tls_cert_stat.stat.mode == '0644' + + - name: Register /etc/zuul/ssl/zookeeper-client.key + stat: + path: /etc/zuul/ssl/zookeeper-client.key + register: _zuul_file_zookeeper_tls_key_stat + + - name: Assert _zuul_file_zookeeper_tls_key_stat tests. + assert: + that: + - _zuul_file_zookeeper_tls_key_stat.stat.exists + - _zuul_file_zookeeper_tls_key_stat.stat.isreg + - _zuul_file_zookeeper_tls_key_stat.stat.pw_name == 'zuul-test' + - _zuul_file_zookeeper_tls_key_stat.stat.gr_name == 'zuul-test' + - _zuul_file_zookeeper_tls_key_stat.stat.mode == '0600' + - name: Ensure zuul-executor is running. become: yes shell: /usr/sbin/service zuul-executor status